247techify blog.
Critical NGINX Vulnerabilities: F5 Patches Two Unauthenticated RCE Flaws in HTTP/3 and HTTP/2 Modules
Cybersecurity

Critical NGINX Vulnerabilities: F5 Patches Two Unauthenticated RCE Flaws in HTTP/3 and HTTP/2 Modules

5 min read
← All articles

F5 issued emergency patches on June 17, 2026 for two CVSS 9.2 NGINX flaws that let unauthenticated attackers crash servers or execute code. Here is what to do right now.

If your business runs web applications, APIs, or microservices behind NGINX, read this now. F5 has issued emergency patches for two critical vulnerabilities that allow remote attackers to crash your servers or execute their own code, with no username or password required.

What Happened

F5 published an out-of-band security notification on June 17, 2026, with an update the following day. This was not a routine quarterly release. Out-of-band releases are reserved for flaws F5 does not want sitting in a queue.

The two vulnerabilities affect the ngx_http_v3_module (CVE-2026-42530) and the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055). Both can be exploited by unauthenticated remote attackers to trigger denial-of-service or code execution on systems with non-default configurations. F5 has released updated versions of NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric to address them.

Breaking Down the Two CVEs

CVE-2026-42530: The HTTP/3 QUIC Flaw (CVSS v4: 9.2)

This is a use-after-free vulnerability in the ngx_http_v3_module. When NGINX is configured to use the HTTP/3 QUIC module, an attacker on the open internet can send specially crafted traffic that corrupts memory inside the NGINX worker process. The immediate result is a crash and service restart. The more serious outcome, possible on servers where ASLR is weakened or misconfigured, is full remote code execution.

NGINX versions 1.31.0 through 1.31.1 are vulnerable. Version 1.31.2 and later are not. Researchers are tracking this bug informally as "nginx-quicburst," and a public video demonstration is already available. That is a double-edged sword: it helps defenders understand how the attack behaves, but it also gives attackers a clear roadmap.

CVE-2026-42055: The HTTP/2 and gRPC Flaw (CVSS v4: 9.2)

This flaw affects NGINX Plus and Open Source when using the ngx_http_proxy_v2_module or gRPC with HTTP/2 backends. Successful exploitation causes a heap-based buffer overflow in the NGINX worker process, leading to a restart.

The trigger is narrower here. Three conditions must align: a location block must use grpc_pass or proxy_http_version 2, the ignore_invalid_headers directive must be off, and large_client_header_buffers must exceed two megabytes. A standard NGINX install is likely not exposed, but gRPC-heavy API gateways and custom proxy setups are absolutely in scope.

Who Is Affected

The blast radius is large. Vulnerable products and versions include:

  • NGINX Open Source: 1.31.0 through 1.31.1
  • NGINX Instance Manager: 2.17.0 through 2.22.0
  • NGINX Gateway Fabric: 1.3.0 through 1.6.2, and 2.0.0 through 2.6.3
  • NGINX Ingress Controller: across the 3.x, 4.x, and 5.x release lines
  • NGINX Plus and several WAF products also appear on the list

NGINX powers roughly a third of all web servers globally, making the potential attack surface enormous.

Is Anyone Exploiting This Right Now?

No active exploitation has been confirmed. That is good news, but not a reason to wait. The public video demonstration of CVE-2026-42530 lowers the barrier for attackers significantly. History shows the gap between "no exploitation" and "active exploitation" is measured in days to weeks once a proof of concept is public.

What Patches Are Available

  • NGINX Open Source: patched in version 1.31.2 (also fixes CVE-2026-42055 in 1.30.3)
  • NGINX Plus: patched in R36 P6 and version 37.0.2.1
  • NGINX Gateway Fabric: patched in version 2.6.4

Patches for NGINX Instance Manager and NGINX Ingress Controller are not yet available.

Concrete Steps Your Team Must Take Now

  1. Find every NGINX instance you run. Check cloud environments, Kubernetes clusters, on-prem servers, and any vendor-supplied appliances. Shadow deployments in dev and staging pipelines count too.

  2. Check which version each instance is running. Run nginx -v on each host. Version 1.31.0 or 1.31.1 means you are vulnerable to CVE-2026-42530. If you use gRPC proxying or HTTP/2 backends with custom header settings, audit for CVE-2026-42055 as well.

  3. Patch immediately where a fix exists. Upgrade NGINX Open Source to 1.31.2. For NGINX Plus, apply R36 P6 or move to 37.0.2.1. For NGINX Gateway Fabric, move to 2.6.4.

  4. Apply interim mitigations for unpatched products. For CVE-2026-42530, if you cannot yet patch NGINX Instance Manager or Ingress Controller, disable HTTP/3 QUIC if it is not business-critical. F5 confirms there is no control plane exposure, so this is a data-plane configuration change only.

  5. Verify ASLR is enabled on all servers. On Linux, check /proc/sys/kernel/randomize_va_space and confirm it reads 2. A value of 0 dramatically increases the risk of code execution via CVE-2026-42530.

  6. Monitor F5's advisory page for Instance Manager and Ingress Controller patches. F5 article K000161616 is the canonical source. Subscribe to F5 security notification emails if you have not already.

  7. Review logs for anomalous HTTP/3 traffic. Unusual patterns in QUIC-protocol traffic to your NGINX instances could indicate probing, even without confirmed exploitation.

The Bigger Picture

This is the second major out-of-band NGINX advisory in a short window. Five weeks after the NGINX Rift advisory had teams scrambling, F5 pushed another emergency fix. That pattern signals something important: attackers are actively studying NGINX's HTTP/3 and HTTP/2 code paths. The web server infrastructure most businesses treat as invisible plumbing is being picked apart for weaknesses. Treating NGINX as a "set it and forget it" component is no longer viable. Version tracking, automated patch alerts, and routine configuration audits have to become standard practice for any team running NGINX at scale.

How 247techify can help

At 247techify, we help businesses track, prioritize, and act on critical vulnerability disclosures across their entire infrastructure, including NGINX, web servers, cloud-native stacks, and third-party appliances, before attackers can exploit them. If your team is unsure which NGINX versions are running across your environment or needs help building a reliable patching workflow, get in touch at https://www.247techify.com/ and we will help you close the gap.

#Cybersecurity#NGINX#Vulnerability Management#Patch Management
ShareXLinkedIn

Keep reading

Microsoft's June 2026 Patch Tuesday: A Wormable Kernel Flaw, a Fresh Zero-Day, and the Biggest Patch Drop in History
Cybersecurity

Microsoft's June 2026 Patch Tuesday: A Wormable Kernel Flaw, a Fresh Zero-Day, and the Biggest Patch Drop in History

SolarWinds Serv-U Under Active Attack: The CVE-2026-28318 Flaw Your File Transfer Team Must Patch Today
Cybersecurity

SolarWinds Serv-U Under Active Attack: The CVE-2026-28318 Flaw Your File Transfer Team Must Patch Today

Check Point VPN Zero-Day CVE-2026-50751: Qilin Ransomware Has Been Inside Your Network Since May
Cybersecurity

Check Point VPN Zero-Day CVE-2026-50751: Qilin Ransomware Has Been Inside Your Network Since May